Data processing is an integral part of any modern day business. There can be many reasons why organisations need to process personal data, from acquiring new customers, to collecting cookies and running marketing campaigns.
GDPR regulations outline six lawful bases by which businesses can process personal data. These 6 lawful bases include: consent, contractual requirements, vital interests, legal requirements, public interest, and legitimate interest.
What is legitimate interest?
Legitimate Interest is one of the six conditions outlined by GDPR regulations that allow organisations to legally process personal data. Legitimate interests can include commercial, individual, or societal interests. The data processing must be necessary in order to be considered legitimate.
Legitimate interest can be a confusing concept to grasp. Other GDPR conditions are more self-explanatory, such as ‘contractual requirements’, ‘legal obligations’ and ‘vital interests’. Although, legitimate interest is less definitive.
This article covers everything you need to know about legitimate interest to help organisations unpack this broad area in more detail.
When is legitimate interest mostly used?
Legitimate interest is the most flexible condition of GDPR’s six lawful bases of processing data, and relates to processing data in the interest of legitimate business, individual, or third party needs.
Legitimate interest is mostly used to process personal data in ways that people would reasonably expect, in ways that have minimal impact on privacy. To process personal data on the basis of legitimate interests, organisations must have a compelling justification for processing the data.
For instance, it could be in the legitimate interest of a charity to increase its donor database. It could be the legitimate interest of a new business to obtain new customers via an acquisition-based marketing campaign.
The Information Commissioners Office (ICO) guidance states the following:: “the legitimate interests can be your own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits.”
Defining legitimate interest sits at an organisational level. When processing personal data for direct marketing purposes, the organisation must complete a Legitimate Interest Assessment (LIA) and balancing test in order to document their legitimate interests.
Choosing to process personal data on the basis of legitimate interests can come with extra responsibility and obligation. Organisations must weigh up individuals’ rights and interests using a Legitimate Interest Assessment.
What counts as a ‘legitimate interest’?
Under GDPR, legitimate interest applies when organisations process personal data in ways that individuals would expect their data to be handled. Legitimate interests must be clearly specified and cannot apply against the law, ethical reasoning, or public policy.
This can make it difficult to determine whether legitimate interest can apply to your organisation’s data processing activities. To get a better understanding of what counts as legitimate interest, here are some examples of cases where this lawful basis is often applied.
Examples of legitimate interest
Examples of legitimate interests can include (but are not limited to):
- Processing client and employee data
- Prevention of fraud
- Intra-group transfers
- IT security
How to demonstrate legitimate interest
Demonstrating legitimate interest is essential if it is to be used as a lawful basis for data processing.
Article 6(1)(f) in the GDPR guidelines incorporates three key elements that can be used to test whether your activities demonstrate legitimate interests.
These three elements of legitimate interest include:
- Purpose test – is there a legitimate interest to process data?
- Necessity test – is data processing required to fulfil that purpose?
- Balancing test – are the legitimate interests outweighed by the individual’s rights, interests, and freedom?
Purpose, necessity and balancing tests can be used to ascertain whether your data processing activities are within the realm of legitimate interests.
What does Article 6(1)(f) state about legitimate interests?
Official GDPR regulations state that organisations must adhere to a lawful basis when processing personal data – this should follow principles of lawfulness, fairness and transparency.
Article 6(1)(f) in the EU GDPR regulations states:
“1.Processing shall be lawful only if and to the extent that at least one of the following applies:
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
Does legitimate interest apply to marketing purposes?
Legitimate interest is one of the most lawful bases used to collect personal data for marketing purposes. There are many reasons why businesses may choose to store personal data for marketing, such as acquiring new customers.
This lawful basis can apply to marketing purposes, but the legitimate interest must be justified and documented.
This means that the GDPR basis of legitimate interest can depend on the circumstances, since interest can differ amongst businesses, sectors, markets and individuals.
Recital 47 of GDPR
Recital 47 of GDPR states that “direct marketing purposes may be regarded as carried out for legitimate interest”. The key word here is ‘may’, meaning that the justification of legitimate interest for direct marketing can depend on the context.
The best way for businesses to demonstrate legitimate interest is to carry out a legitimate interest purpose test. The results from this will give a more definitive impression of whether legitimate interest can apply to your marketing activities.
Does legitimate interest apply to cookies?
Legitimate interest does not apply to cookies. Cookies that collect website visitors’ personal information cannot be processed lawfully under GDPR without consent.
Following the introduction of GDPR laws in 2016, websites required pop-ups that ask users for consent to collect cookies. If users do not accept the website’s request to collect cookies, then the site cannot lawfully process cookies to collect personal visitor data.
Where the required consent is not obtained, organisations cannot choose to rely on legitimate interests as an alternative.
What are the individual’s rights?
Under GDPR regulations, individuals have the following rights in regard to the processing of their personal data:
- The right to be informed
- The right of access
- The right to erasure
- The right to rectification
- The right to restrict processing
- The right to object
- The right to data portability
- Rights in relation to automated decision making and profiling.
Recital 75 of the GDPR regulations provide guidance on the individuals’ rights and freedoms when it comes to data processing and legitimate interests. Individuals have protective rights in cases where data processing has the potential to impact the individual in any way. This includes physical, financial, personal impacts and many other types, such as:
- Prevention from exercising rights
- Loss of control over personal data
- Social, economic, or reputational disadvantage
Can individual rights override legitimate interests?
Individual rights can override legitimate interests if their personal data is processed in ways that they would not reasonably expect. If processing of personal data is unexpected in any way, the individual can exercise their rights to object and restrict processing, as well as other freedoms.
This is because the individual loses control over how their personal data is used, and that the processing does not align with their expectations and interests.
It is important to manage reasonable expectations from the outset of data processing under legitimate interests through clear transparency obligations that inform the individual of their ability to exercise rights.
When to avoid legitimate interest as a lawful basis
Avoid legitimate interests as a lawful basis of data processing if:
- You believe individuals might have personal reservations about the way their data is processed
- Data processing has the potential to cause harm to individuals or groups
- If you are a public authority – public authorities cannot process data under legitimate interests unless there are clear commercial justifications.
To summarise, legitimate interest is one of the 6 lawful bases of data processing under GDPR. Legitimate interests can be a grey area that many businesses find confusing, since these are broadly defined as reasonable commercial, individual, or societal interests.
It is important for businesses to clearly define the legitimate interests they intend to rely on when processing data, and ensure that these are reasonable.
Is your data GDPR compliant?
Ensure your data is lawful and compliant with our GDPR compliance services. We help businesses process data lawfully and keep databases to a high quality for maximum results and fewer risks.
Have any questions? Get in touch with us.